Preparing for a SOC 2 Audit: What the Week Before Should Look Like

May 23, 2024

If your SOC 2 audit preparation is starting in the week before the audit begins, the preparation started too late. A SOC 2 Type 2 audit covers a period of typically six to twelve months of operating effectiveness. The evidence for that period should have been collected throughout. What the final week before the audit should involve is confirmation, organisation, and briefing, not collection and remediation.

That said, the final week matters. A well-run final week reduces friction during the audit fieldwork, reduces the likelihood of requests for evidence that should have been ready, and ensures that the team engaging with auditors is briefed and composed rather than scrambling. This article covers what a well-prepared organisation does in the days immediately before a SOC 2 audit commences.

Evidence Organisation and the Evidence Package

The first priority in the week before the audit is verifying that evidence for every control in scope is collected, labelled correctly, and accessible to the audit team. Evidence should be organised by control, not by date or by the system it came from. An auditor reviewing evidence for the access control criteria should be able to navigate to that evidence directly without searching through a chronological file dump. Spend time in the early part of the final week walking through the evidence structure from the auditor's perspective rather than the evidence collector's perspective.

Check each piece of evidence against what it is supposed to demonstrate. A log file that shows access events but does not show the outcome of a quarterly access review does not satisfy the access review requirement. An onboarding checklist that shows security training was assigned but does not show it was completed does not satisfy the security training requirement. Evidence gaps discovered on the first day of an audit that could have been identified and addressed in the preceding week are avoidable. A control-by-control evidence review in the days before fieldwork begins is the single most effective pre-audit activity.

Access Provisioning and System Readiness

SOC 2 auditors will typically need access to certain systems or reports during fieldwork. If the audit is conducted through a platform, the auditor's access to that platform should be tested before fieldwork begins. If the auditor needs read access to specific configuration reports, cloud infrastructure dashboards, or logging systems, provision and test that access in advance. Discovering on the first day of fieldwork that the auditor cannot access a system they need adds unnecessary delay and creates an unfavourable first impression of the organisation's preparedness.

Also review your own internal access positions in the week before the audit. If a staff member with administrative privileges has left the organisation, confirm that their access has been removed and that the removal is evidenced. If privileged access reviews are required as part of your control scope, confirm the most recent review is documented and the date falls within the audit period. Access-related findings are among the most common in SOC 2 audits and many of them are preventable with a focused pre-audit access check.

Team Briefing and Auditor Interaction Protocol

The team members who will interact with auditors during fieldwork should be briefed before the audit begins. The briefing does not need to be long, but it should cover what the audit is assessing, what the auditor will be asking about, what to do when they are asked a question they cannot answer immediately, and who to escalate to if an issue arises. Staff who interact with auditors without preparation sometimes volunteer information that is technically accurate but introduces scope questions the organisation was not expecting to address.

A clear protocol for auditor interaction prevents that. When an auditor asks a question, the answer should be accurate and specific to what was asked. If additional context would be helpful, it should be offered deliberately rather than incidentally. If a question requires checking records or consulting a colleague, it is appropriate to say so and follow up, rather than answering from memory with potential inaccuracy. Auditors expect organised, responsive engagement. Oversharing or uncertainty does not improve the audit outcome.

The Final Walkthrough

In the last day or two before fieldwork begins, conduct a final walkthrough of the audit scope with whoever is managing the audit from the organisation's side. The walkthrough should confirm that the audit period, scope of systems, and trust service criteria are agreed with the auditor, that there are no outstanding items from the planning phase, and that the schedule for fieldwork is confirmed. Any last-minute changes to scope or schedule are better surfaced and resolved before fieldwork than discovered during it.

The walkthrough is also the time to confirm whether there are any known issues the organisation intends to disclose proactively. If a control exception occurred during the audit period, a treatment-stage vulnerability was not remediated within your stated timeframe, or an incident occurred that is relevant to the audit scope, your auditor should be aware of these before they discover them independently. Proactive disclosure is handled differently from an undisclosed finding and reflects more favourably on the organisation's overall control environment. To discuss SOC 2 audit readiness and how we support organisations through the preparation and fieldwork process, contact Cyberlinx at info@cyberlinx.com.au.

Table of Contents
Resource Type
Blogs
Category
GRC
Written by
Indra Gunawan
Head of Consulting
Free Risk Assessment
Cyberlinx brand name with linked chain links icon above it in white on a black background.

Ready to secure your
business?